Privacy Policy

The Center for Democracy & Technology (CDT) believes that privacy is a fundamental human right, and we are committed to protecting your privacy when you visit our website or interact with us, online or offline. We have written this Privacy Policy to explain what information we collect and how we use it. If you have any concerns about this policy, please contact CDT via our Contact page or call (202) 637-9800. We can also be reached at 1401 K Street NW, Suite 200, Washington DC 20005.

TL;DR

This Privacy Policy is nearly 4,000 words long. We understand that can be an imposing reading assignment, and CDT wanted to provide a few key guidelines for how we collect, use, and retain information:

We do not sell, rent, exchange or otherwise share any information that we collect unless you direct us to, except as necessary to process donation transactions, report malicious attacks or as required by law.

Some data we collect from you on our website, including donations, mailing list subscriptions, records of our mass communications, and select emails are stored in our contact relationship database (CRM). Donor information will be stored in the CRM database until the donor provides an update or requests deletion.

Our website limits use of cookies to our website analytics software, Google Universal Analytics. You can disable cookies on this site and your website experience should remain the same. You can disable cookies in your browser or opt-out of Google Universal Analytics in our “Cookie Policy” section below.

You have the right to access, correct, update, or delete the information we may have about you. We will endeavor to disclose to you any information we have about you, and we will attempt to comply with your request to the best of our capabilities. Please contact us to exercise these rights.

Details

What information does CDT collect?

CDT’s website collects technical information about website visitors, including IP addresses and other data for website analytics (see below to learn more about this). We also collect non-technical data about you. The personal information we collect is generally limited to the following kinds of information:

You can learn more about why we collect this information below, but we strive to collect the minimum amount of personal information necessary to keep in touch with supporters and others who reach out to us.

How and why does CDT collect information?

We collect information when you visit our website, join our mailing lists, make a donation, or contact us. We collect information about prospective employees and interns. We also collect information about current donors. Some data we collect from you, including donations, mailing list subscription, records of our mass communications, or other communications.

Contacting Us

CDT welcomes your feedback. If you choose to contact us, via our website, social media, or the mail, we will not use the information for any purpose other than to respond to your inquiry or to act on your suggestion or comment. We will not share your information with others except with your permission or upon your request.

How long does CDT retain this information? Any information you provide us via email, social media, or our Contact page on our website (as well as responses, if any, to your inquiry or comment) are removed from our computer systems after it has been addressed. However, individual employees often retain copies of any correspondence.

Donations

If you make a donation to CDT, we will record your name and contact information in our CRM database so that we can acknowledge and thank you for your donation, provide tax-exemption receipts to you, contact you with news that may be of interest or for future donation opportunities, and answer any questions you may have about your donation. At the time of your donation, we may also ask whether we should include you on a list of supporters. Should you wish to opt-out of future communications, you may do so by following the information in the message or by requesting removal. Donor information will be stored in the CRM database until the donor provides an update or requests deletion.

CDT keeps financial records for auditing and tax purposes, but we can, at an individual’s request, make either a gift, or an account, anonymous at any time.

If you choose to use our website to make a donation to CDT, your credit card information (or other financial information used to execute a donation transaction) will be processed by a third-party provider, which is currently iATS Payments, that handles our donations. This vendor will collect information about your device, including IP address, and will deposit identifiers, such as session cookies (temporary cookies are stored until you close your web browser) on your computer in order to process your transaction. CDT does not, in any way, receive or log your credit card information or other sensitive financial information. In the case of a recurring gift, your financial information is still held by the third party provider. CDT can initiate or stop payment based on a donor’s preferences, but we do not have any access to the financial information stored in their system.

How long does CDT retain this information? Contact information (name, home address, and email address) you provide when making a donation online will be retained indefinitely unless you ask us to delete it. The financial record is retained indefinitely for auditing and tax purposes, but we can remove contact information and otherwise make a gift or account anonymous upon request from an individual.

Employment Applications

CDT asks prospective employees and interns to provide us with their information. This information might include a cover letter, resume or CV, biographical information, contact details, and references. This information is ONLY shared with relevant staff internally.

How long does CDT retain this information? CDT requires the removal of application data from our computer systems when applicants are no longer under consideration, though copies of applicant information may be retained by individual employees. Some applicant information may also be retained in the personnel files of CDT employees and interns.

Events

CDT asks for your information when registering for our events, conferences, or working groups. We use this information to register you for events and to inform you about event changes. We also use this information to contact you about other events our staff participate in. You have the option to unsubscribe at any time. When you submit information using third party forms like Eventbrite or Google Forms, data may be collected by those vendors and processed subject to their terms of service.

In the case of a financial transaction occurring in conjunction with an event, both donor information and gift information is collected, but the third-party payment processor retains all financial information, not CDT.

How long does CDT retain this information? Email addresses that are added to our event lists are retained until the associated users ask to remove their names from the mailing list.

Mailing Lists

To sign up for our mailing lists online, CDT asks for your name, email address, postal code, and country. We also inquire about your job title and organization. We also ask for postal codes and countries to make sure that communications are geographically appropriate to the subscriber.

If you submit your email address to be added to a mailing list, we will use the email address for the sole purpose of sending you the materials associated with that mailing list. For example, if you sign up to receive our newsletter, we will use your email to send you the newsletter, but not our events invitations or press releases. Each email we send will contain information on how to unsubscribe from our mailing list. You can also unsubscribe by going to our Contact page and requesting removal from a specific mailing list.

How long does CDT retain this information? Email addresses submitted to subscribe to mailings lists are retained until the associated users ask to remove their names from the mailing list, except that copies of the mailing list may be retained for one year in backup storage. In the unlikely event that we have technical problems that cause us to revert to a backup copy of a mailing list, our systems may restore a previously removed address to a mailing list. Removal from our mailing list might then require the user to request removal a second time.

Social Media

CDT actively uses social media to engage with the public and advance our work. Specifically, CDT has Facebook, Google+, and LinkedIn pages, a Twitter feed, a YouTube channel, and a SoundCloud profile hosting our podcast, Tech Talks. Information shared on those pages is governed by each platform’s respective privacy policy. We do not export information about our followers from Facebook, although we do export information about donations processed from Facebook. We also utilize use Bit.ly as a link shortener on some posts on a variety of platforms.

How long does CDT retain this information? We also receive direct messages over social media on occasion. As addressed above, any information you provide us when you contact us is removed from our computer systems after we have responded. For direct messages on social media, we attempt to delete these messages after each inquiry is resolved. However, individual employees may retain copies of any correspondence.

Via Our Website

Like many websites, CDT collects information automatically regarding any visits to our website. CDT’s web server generates and retains log files that record information about visitors that connect to our site. CDT uses one analytics program — Google Universal Analytics — to collect similar information. We detail more about how our website collects information below.

How long does CDT retain this information? All data that is collected in individualized log files by our web server is deleted within 7 days, unless we believe that we need to retain it for longer in order to investigate or report a bug or malicious attack. We do not have backup storage of our log files. Aggregated data about visitors to our website – which is not linked back to individual visitors – is maintained indefinitely.

How does CDT’s website collect information?

Log Files Nginx, our web server software, generates log files — text files that record one line of data each time a browser request is made. For example, a line of data elements (described in detail below) is added to the end of a log file each time a page is viewed or an element on the page is clicked. CDT uses its log files only to fix errors on the site and to defend against malicious attacks. If we detect an attack on our site, we will use log file data to try to determine the source of the attack. We may also share or report to law enforcement or other service providers (such as denial-of-service mitigation service providers) information about malicious attacks. All log files are automatically deleted after 7 days unless we believe that we need to retain them for longer in order to investigate or report a bug or malicious attack. CDT logs the following information from users who visit our site:

Internet Protocol (IP) address: The address of your computer on the Internet. Your IP address gets transmitted whenever you communicate online or surf the Web so that the content you are looking at and the people you are talking to can find your computer on the network in order to respond to you.

The time and date the browser requested the URL of the page.

URL of the page that directed (a “referrer”) you to our site: If you arrive at our website through a link on another website (a blog, newspaper article, or search engine, for example) our web server will record the address of the web page that referred you to our site, if available. If you arrive at our website by clicking on a search result returned by a search engine, our server will record the search terms that you used when that information is available. However, for search engines that offer encryption (such as Google.com’s organic search results), we do not receive the search terms that you used.

The web pages within our site: The specific web pages you visit within our site, including the first page you visit (the entry page) and the last page you visit (the exit page).

Amount of traffic used in the transaction: The total number of bytes downloaded when you browse our site.

Analytics CDT uses Google Universal Analytics to learn about how people use our site. The data that the software collects about your visit on behalf of CDT and sends to Google’s servers is similar to the log file data described above:

Your device type, brand, and model

Your operating system

Your browser type, plugins, and version

Pages you viewed on our site and time spent on each page

Referrer type and URL

Language of your browser

Country (determined by IP address) NOTE: We use Google Analytics with IP address masking activated; this means that Google only receives the first three octets of your IP address (e.g., 100.124.152.100 is logged as 100.124.152.0). This IP masking takes place as soon as data is received by Google’s Analytics servers. At no time is the full IP address stored on Google’s servers as the IP masking process happens in the volatile memory (a temporary data location) on Google’s servers nearly instantaneously after the request has been received. Because your full IP address is never stored on Google’s Analytics’ servers when the anonymization flag is turned on – as it is with CDT’s Google Analytics account – our analytics data will not include your full, individual IP address. Read more about IP Anonymization in Google Analytics.

Searches Our site search function is supported by WordPress, an open source Content Management System. CDT records search terms used in searches of our website for analytics purposes. We do not log or correlate search term data with IP address or any other information about our visitors.

Cookie Policy

Web cookies are small text files that are placed on your machine to help sites retain user preferences, store information for things like shopping carts, and provide anonymised tracking data to third-party applications like Google Universal Analytics. As a rule, web cookies can make your browsing experience more seamless, but you may prefer to disable cookies on this site and on others. If you choose to disable cookies on our website, you should notice no difference in your browsing experience. The most effective way to do this is to disable cookies in your browser. We suggest consulting the Help section of your browser or taking a look at the About Cookies website which offers guidance for all modern browsers. CDT only uses cookies with our website analytics software, Google Universal Analytics. While we run Google Universal Analytics using the option for de-identification, it does require cookies to work properly. You can opt out of CDT’s use of Google Analytics by selecting: OPT-OUT here.

What other information is collected by third parties on CDT’s website?

Our website contains some third-party tools. We have limited the amount of information that these third-party tools can collect about you on our website.

Embedded YouTube Videos On certain pages on our site, we may embed YouTube videos. Even if you don’t interact with a YouTube video, Google displays the image of the video on our site, and may collect and store log data associated with rendering that image on your device (including IP address and browser configuration). Even if you choose to play a YouTube video, we have configured the YouTube videos we embed to use the “-nocookie” option, so Google will not associate your visit with a Google cookie or account. However, they may collect additional log data associated with rendering the video on your device.

Genius Web Annotator On certain pages of our site, CDT directs you to view annotations of text via the Genius Web Annotator. This service is separate from CDT’s website and is governed by Genius’s privacy policy.

Facebook, LinkedIn, and Twitter Buttons You can share articles and blog posts from our site on Facebook, LinkedIn, and Twitter. When you click on our site’s sharing buttons, your browser will open a new window linking you to these social platforms. However, because we host the images for the Facebook, LinkedIn and Twitter buttons ourselves, they are not able to log the fact that you visited one of our pages merely because one of their branded buttons is on that page. They only receive information about your visit to our site if you click on the widget to share through one of those services. You can also share selected passages from our website to LinkedIn, Twitter, or directly with your email client.

What about Do Not Track?

Many browsers offer Do Not Track features that let you communicate to the sites you visit that you don’t want to be tracked around the web. Do Not Track was designed to limit tracking across different sites and services — such as by third-party behavioral ad networks who track users across unaffiliated websites. CDT’s logfile and analytics collection is limited to the sites we own and operate. Since first-party data collection and use is outside the scope of a Do Not Track request, we do not limit our logfile or analytics data collection for users who have Do Not Track enabled.

How do we store and secure your information?

CDT uses industry-standard security measures to protect the information we collect. An encrypted (Transport Layer Security (TLS)) connection is used throughout the cdt.org website and when you submit a donation through our donation processor, securing your information as it travels across the Internet. For information we automatically collect from site visitors, we employ standard computer and network access control mechanisms to limit access to stored data to our technical staff. Donor information, professional contacts made by our staff, and mailing list and working group subscriptions are stored in a CRM operated by Salesforce. We periodically review, update, and where appropriate, delete information in this CRM. Donor information will be stored in the CRM database until the donor provides updates or requests deletion.

How does CDT share or disclose information?

CDT does not buy, sell, rent, exchange or otherwise disclose any information that we collect, except as described in this section or elsewhere in this policy. CDT does share information about you to third parties in limited circumstances, including:

Legal Requirements CDT cannot guarantee that your personal information will never be sought by subpoena, search warrant, court order, or other lawful form of legal process. We will comply with lawful requests from government agencies that follow appropriate legal standards and procedures. If we receive a request from a governmental entity to disclose information about you, we will (unless prohibited by law or court order from doing so) attempt to contact you prior to such disclosure so that you can object. If we comply with a disclosure request from a government agency we will subsequently (unless prohibited by law or court order from doing so) attempt to contact you in order to disclose to you the fact that we have disclosed information about you and to tell you what information we have disclosed. We will object to disclosure demands that we believe are improper. If we receive a request from a non-governmental entity (such as a civil litigant) for disclosure of information about your activities on our website, we will insist that the requesting party obtain at least a subpoena, and we will (unless prohibited by law or court order from doing so) attempt to contact you prior to such disclosure so that you can object. If we comply with a non-governmental entity’s disclosure request we will subsequently (unless prohibited by law or court order from doing so) attempt to contact you in order disclose to you the fact that we have disclosed information about you and to tell you what information we have disclosed. Again, we will object to disclosure demands that we believe are improper.

To Defend Ourselves CDT may disclose information to a third party if we reasonably believe that our system has been attacked and the information is necessary to describe the attack. We also reserve the right to affirmatively share or to provide to law enforcement evidence of malicious attacks or other unlawful activity or content.

Service Providers and Contractors CDT shares information we collect to service providers and contractors that provide administrative services and support for us. While CDT depends on third parties to support some of our services and operations, we strive to select vendors and contractors who have strong privacy and security policies. This includes Amazon Web Services (AWS) to host our website, iATS Payments to process donations, and Salesforce to manage our email and contact databases. These services are contractually prohibited from using that information for their own purposes.

What rights do you have? What if you want to know what information we have about you?

You have the right to access, correct, update, or delete the information we may have about you. For example, donors can request their own personal account profile, which includes contact information, funding history, newsletter subscriptions, working group memberships, and select communication records. Please contact us to exercise these rights. We will endeavor to disclose to you any information we have about you, and we will attempt to comply with your request to the best of our capabilities. DID YOU KNOW? Children under the age of 13 have special protections under law. While CDT’s content is appropriate for most audiences, we do not knowingly market our website or other materials to children. If CDT discovers it inadvertently has information about a child under the age of 13, we will promptly delete it.

Changes to our policies.

We have most recently revised our Privacy Policy in the spirit of the EU’s General Data Protection Regulation, which entered into effect on May 25, 2018. Whenever we make substantial changes to our Privacy Policy, we will announce the changes on our blog and give users 30 days’ notice in advance of the policy taking effect. Regardless, any future privacy policy changes will not apply to information we collect pursuant to an older policy; the older policy will still apply to that data.

Any complaints or concerns?

If you have any concerns about this policy, please contact CDT via our Contact page or call (202) 637-9800. We can also be reached at 1401 K Street NW, Suite 200, Washington DC 20005.